step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-05 21:17:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #98 from step-security/rcbranch

Browse source 
Release 1.4.0
This commit is contained in:
Varun Sharma 2022-02-13 08:33:49 -08:00 committed by GitHub
commit bdb12b622a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 2046 additions and 145 deletions
Download patch file Download diff file Expand all files Collapse all files

5
.gitignore vendored
View file

@ -101,4 +101,7 @@ typings/
.dynamodb/
# TernJS port file
.tern-port
.tern-port
# vscode files
.vscode

31
action.yml
View file

@ -1,19 +1,26 @@
name: 'Harden Runner'
description: 'GitHub Actions Runtime Security'
name: "Harden Runner"
description: "Security monitoring for the GitHub-hosted runner"
inputs:
allowed-endpoints:
description: 'Only these endpoints will be allowed if egress-policy is set to block'
description: "Only these endpoints will be allowed if egress-policy is set to block"
required: false
default: ''
default: ""
egress-policy:
description: 'Policy for outbound traffic, can be either audit or block'
description: "Policy for outbound traffic, can be either audit or block"
required: false
default: 'block'
default: "block"
token:
description: "Used to avoid github rate limiting"
default: ${{ github.token }}
disable-telemetry:
description: "Disable sending telemetry to StepSecurity API, can be set to true or false. This can only be set to true when egress-policy is set to block"
required: false
default: "false"
branding:
icon: 'check-square'
color: 'green'
icon: "check-square"
color: "green"
runs:
using: 'node12'
pre: 'dist/pre/index.js'
main: 'dist/index.js'
post: 'dist/post/index.js'
using: "node16"
pre: "dist/pre/index.js"
main: "dist/index.js"
post: "dist/post/index.js"

1688
dist/index.js vendored
View file

File diff suppressed because it is too large Load diff

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

51
dist/pre/index.js vendored
View file

@ -6261,6 +6261,24 @@ function printInfo(web_url) {
// EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
var tool_cache = __nccwpck_require__(7784);
// EXTERNAL MODULE: external "crypto"
var external_crypto_ = __nccwpck_require__(6417);
;// CONCATENATED MODULE: ./src/checksum.ts
function verifyChecksum(downloadPath) {
const fileBuffer = external_fs_.readFileSync(downloadPath);
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
const expectedChecksum = "28427e325c00f49e391af0899f49fe34e73b36b113a9f095660b73da88c43280"; // checksum for v0.9.0
if (checksum !== expectedChecksum) {
core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
}
core.debug("Checksum verification passed.");
}
;// CONCATENATED MODULE: ./src/setup.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -6279,6 +6297,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
(() => __awaiter(void 0, void 0, void 0, function* () {
try {
if (process.platform !== "linux") {
@ -6289,14 +6308,6 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
var env = "agent";
var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io";
let _http = new http_client.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
const confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
@ -6305,6 +6316,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
api_url: api_url,
allowed_endpoints: core.getInput("allowed-endpoints"),
egress_policy: core.getInput("egress-policy"),
disable_telemetry: core.getBooleanInput("disable-telemetry"),
};
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
core.setFailed("egress-policy must be either audit or block");
@ -6312,13 +6324,32 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
}
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
core.setFailed("disable-telemetry must be a boolean value");
}
if (!confg.disable_telemetry) {
let _http = new http_client.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
}
const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent");
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz");
// Note: to avoid github rate limiting
let token = core.getInput("token");
let auth = `token ${token}`;
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.9.0/agent_0.9.0_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = yield tool_cache.extractTar(downloadPath);
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
printInfo(web_url);
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url);
}
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("chmod +x /home/agent/agent");

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

243
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "step-security-harden-runner",
"version": "0.3.0",
"version": "1.1.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "step-security-harden-runner",
"version": "0.3.0",
"version": "1.1.0",
"license": "Apache License 2.0",
"dependencies": {
"@actions/core": "^1.5.0",
@ -14,7 +14,7 @@
"@actions/github": "^5.0.0",
"@actions/http-client": "^1.0.11",
"@actions/tool-cache": "^1.7.1",
"node-fetch": "^2.6.1",
"node-fetch": ">=2.6.7",
"uuid": "^8.3.2"
},
"devDependencies": {
@ -958,7 +958,6 @@
"jest-resolve": "^26.6.2",
"jest-util": "^26.6.2",
"jest-worker": "^26.6.2",
"node-notifier": "^8.0.0",
"slash": "^3.0.0",
"source-map": "^0.6.0",
"string-length": "^4.0.1",
@ -1187,6 +1186,44 @@
"once": "^1.4.0"
}
},
"node_modules/@octokit/request/node_modules/node-fetch": {
"version": "2.6.7",
"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
"integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
"dependencies": {
"whatwg-url": "^5.0.0"
},
"engines": {
"node": "4.x || >=6.0.0"
},
"peerDependencies": {
"encoding": "^0.1.0"
},
"peerDependenciesMeta": {
"encoding": {
"optional": true
}
}
},
"node_modules/@octokit/request/node_modules/tr46": {
"version": "0.0.3",
"resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
"integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o="
},
"node_modules/@octokit/request/node_modules/webidl-conversions": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
"integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE="
},
"node_modules/@octokit/request/node_modules/whatwg-url": {
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
"integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=",
"dependencies": {
"tr46": "~0.0.3",
"webidl-conversions": "^3.0.0"
}
},
"node_modules/@octokit/types": {
"version": "6.34.0",
"resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.34.0.tgz",
@ -2323,6 +2360,14 @@
"integrity": "sha512-b0tGHbfegbhPJpxpiBPU2sCkigAqtM9O121le6bbOlgyV+NyGyCmVfJ6QW9eRjz8CpNfWEOYBIMIGRYkLwsIYg==",
"dev": true
},
"node_modules/data-uri-to-buffer": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.0.tgz",
"integrity": "sha512-Vr3mLBA8qWmcuschSLAOogKgQ/Jwxulv3RNE4FXnYWRGujzrRWQI4m12fQqRkwX06C0KanhLr4hK+GydchZsaA==",
"engines": {
"node": ">= 12"
}
},
"node_modules/data-urls": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/data-urls/-/data-urls-2.0.0.tgz",
@ -2567,8 +2612,7 @@
"esprima": "^4.0.1",
"estraverse": "^5.2.0",
"esutils": "^2.0.2",
"optionator": "^0.8.1",
"source-map": "~0.6.1"
"optionator": "^0.8.1"
},
"bin": {
"escodegen": "bin/escodegen.js",
@ -3188,6 +3232,28 @@
"bser": "2.1.1"
}
},
"node_modules/fetch-blob": {
"version": "3.1.4",
"resolved": "https://registry.npmjs.org/fetch-blob/-/fetch-blob-3.1.4.tgz",
"integrity": "sha512-Eq5Xv5+VlSrYWEqKrusxY1C3Hm/hjeAsCGVG3ft7pZahlUAChpGZT/Ms1WmSLnEAisEXszjzu/s+ce6HZB2VHA==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/jimmywarting"
},
{
"type": "paypal",
"url": "https://paypal.me/jimmywarting"
}
],
"dependencies": {
"node-domexception": "^1.0.0",
"web-streams-polyfill": "^3.0.3"
},
"engines": {
"node": "^12.20 || >= 14.13"
}
},
"node_modules/file-entry-cache": {
"version": "6.0.1",
"resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-6.0.1.tgz",
@ -3267,6 +3333,17 @@
"node": ">= 6"
}
},
"node_modules/formdata-polyfill": {
"version": "4.0.10",
"resolved": "https://registry.npmjs.org/formdata-polyfill/-/formdata-polyfill-4.0.10.tgz",
"integrity": "sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==",
"dependencies": {
"fetch-blob": "^3.1.2"
},
"engines": {
"node": ">=12.20.0"
}
},
"node_modules/fragment-cache": {
"version": "0.2.1",
"resolved": "https://registry.npmjs.org/fragment-cache/-/fragment-cache-0.2.1.tgz",
@ -4207,7 +4284,6 @@
"@types/node": "*",
"anymatch": "^3.0.3",
"fb-watchman": "^2.0.0",
"fsevents": "^2.1.2",
"graceful-fs": "^4.2.4",
"jest-regex-util": "^26.0.0",
"jest-serializer": "^26.6.2",
@ -5154,34 +5230,39 @@
"integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==",
"dev": true
},
"node_modules/node-fetch": {
"version": "2.6.5",
"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.5.tgz",
"integrity": "sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==",
"dependencies": {
"whatwg-url": "^5.0.0"
},
"node_modules/node-domexception": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
"integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/jimmywarting"
},
{
"type": "github",
"url": "https://paypal.me/jimmywarting"
}
],
"engines": {
"node": "4.x || >=6.0.0"
"node": ">=10.5.0"
}
},
"node_modules/node-fetch/node_modules/tr46": {
"version": "0.0.3",
"resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
"integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o="
},
"node_modules/node-fetch/node_modules/webidl-conversions": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
"integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE="
},
"node_modules/node-fetch/node_modules/whatwg-url": {
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
"integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=",
"node_modules/node-fetch": {
"version": "3.2.0",
"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.2.0.tgz",
"integrity": "sha512-8xeimMwMItMw8hRrOl3C9/xzU49HV/yE6ORew/l+dxWimO5A4Ra8ld2rerlJvc/O7et5Z1zrWsPX43v1QBjCxw==",
"dependencies": {
"tr46": "~0.0.3",
"webidl-conversions": "^3.0.0"
"data-uri-to-buffer": "^4.0.0",
"fetch-blob": "^3.1.4",
"formdata-polyfill": "^4.0.10"
},
"engines": {
"node": "^12.20.0 || ^14.13.1 || >=16.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/node-fetch"
}
},
"node_modules/node-int64": {
@ -7431,6 +7512,14 @@
"makeerror": "1.0.12"
}
},
"node_modules/web-streams-polyfill": {
"version": "3.2.0",
"resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-3.2.0.tgz",
"integrity": "sha512-EqPmREeOzttaLRm5HS7io98goBgZ7IVz79aDvqjD0kYXLtFZTc0T/U6wHTPKyIjb+MdN7DFIIX6hgdBEpWmfPA==",
"engines": {
"node": ">= 8"
}
},
"node_modules/webidl-conversions": {
"version": "6.1.0",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-6.1.0.tgz",
@ -8550,6 +8639,35 @@
"is-plain-object": "^5.0.0",
"node-fetch": "^2.6.1",
"universal-user-agent": "^6.0.0"
},
"dependencies": {
"node-fetch": {
"version": "2.6.7",
"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
"integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
"requires": {
"whatwg-url": "^5.0.0"
}
},
"tr46": {
"version": "0.0.3",
"resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
"integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o="
},
"webidl-conversions": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
"integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE="
},
"whatwg-url": {
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
"integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=",
"requires": {
"tr46": "~0.0.3",
"webidl-conversions": "^3.0.0"
}
}
}
},
"@octokit/request-error": {
@ -9440,6 +9558,11 @@
}
}
},
"data-uri-to-buffer": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.0.tgz",
"integrity": "sha512-Vr3mLBA8qWmcuschSLAOogKgQ/Jwxulv3RNE4FXnYWRGujzrRWQI4m12fQqRkwX06C0KanhLr4hK+GydchZsaA=="
},
"data-urls": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/data-urls/-/data-urls-2.0.0.tgz",
@ -10108,6 +10231,15 @@
"bser": "2.1.1"
}
},
"fetch-blob": {
"version": "3.1.4",
"resolved": "https://registry.npmjs.org/fetch-blob/-/fetch-blob-3.1.4.tgz",
"integrity": "sha512-Eq5Xv5+VlSrYWEqKrusxY1C3Hm/hjeAsCGVG3ft7pZahlUAChpGZT/Ms1WmSLnEAisEXszjzu/s+ce6HZB2VHA==",
"requires": {
"node-domexception": "^1.0.0",
"web-streams-polyfill": "^3.0.3"
}
},
"file-entry-cache": {
"version": "6.0.1",
"resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-6.0.1.tgz",
@ -10169,6 +10301,14 @@
"mime-types": "^2.1.12"
}
},
"formdata-polyfill": {
"version": "4.0.10",
"resolved": "https://registry.npmjs.org/formdata-polyfill/-/formdata-polyfill-4.0.10.tgz",
"integrity": "sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==",
"requires": {
"fetch-blob": "^3.1.2"
}
},
"fragment-cache": {
"version": "0.2.1",
"resolved": "https://registry.npmjs.org/fragment-cache/-/fragment-cache-0.2.1.tgz",
@ -11644,33 +11784,19 @@
"integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==",
"dev": true
},
"node-domexception": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
"integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ=="
},
"node-fetch": {
"version": "2.6.5",
"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.5.tgz",
"integrity": "sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==",
"version": "3.2.0",
"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.2.0.tgz",
"integrity": "sha512-8xeimMwMItMw8hRrOl3C9/xzU49HV/yE6ORew/l+dxWimO5A4Ra8ld2rerlJvc/O7et5Z1zrWsPX43v1QBjCxw==",
"requires": {
"whatwg-url": "^5.0.0"
},
"dependencies": {
"tr46": {
"version": "0.0.3",
"resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
"integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o="
},
"webidl-conversions": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
"integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE="
},
"whatwg-url": {
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
"integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=",
"requires": {
"tr46": "~0.0.3",
"webidl-conversions": "^3.0.0"
}
}
"data-uri-to-buffer": "^4.0.0",
"fetch-blob": "^3.1.4",
"formdata-polyfill": "^4.0.10"
}
},
"node-int64": {
@ -13423,6 +13549,11 @@
"makeerror": "1.0.12"
}
},
"web-streams-polyfill": {
"version": "3.2.0",
"resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-3.2.0.tgz",
"integrity": "sha512-EqPmREeOzttaLRm5HS7io98goBgZ7IVz79aDvqjD0kYXLtFZTc0T/U6wHTPKyIjb+MdN7DFIIX6hgdBEpWmfPA=="
},
"webidl-conversions": {
"version": "6.1.0",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-6.1.0.tgz",

89
package.json
View file

@ -1,46 +1,47 @@
{
"name": "step-security-harden-runner",
"version": "1.1.0",
"description": "GitHub Actions Runtime Security",
"main": "index.js",
"scripts": {
"build": "npm run main && npm run pre && npm run post",
"main": "ncc build src/index.ts --source-map",
"pre": "ncc build src/setup.ts --source-map -o dist/pre",
"post": "ncc build src/cleanup.ts --source-map -o dist/post",
"lint": "eslint src/**/*.ts"
},
"repository": {
"type": "git",
"url": "git+https://github.com/step-security/harden-runner.git"
},
"keywords": [],
"author": "Varun Sharma",
"license": "Apache License 2.0",
"bugs": {
"url": "https://github.com/step-security/harden-runner/issues"
},
"homepage": "https://github.com/step-security/harden-runner#readme",
"dependencies": {
"@actions/core": "^1.5.0",
"@actions/exec": "^1.1.0",
"@actions/github": "^5.0.0",
"@actions/http-client": "^1.0.11",
"@actions/tool-cache": "^1.7.1",
"node-fetch": "^2.6.1",
"uuid": "^8.3.2"
},
"devDependencies": {
"@types/jest": "^27.0.1",
"@types/node": "^16.9.0",
"@typescript-eslint/eslint-plugin": "^4.29.2",
"@typescript-eslint/parser": "^4.29.2",
"@vercel/ncc": "^0.30.0",
"eslint": "^7.32.0",
"eslint-config-google": "^0.14.0",
"jest": "^26.6.3",
"jest-junit": "^12.2.0",
"ts-jest": "^26.5.6",
"typescript": "^4.3.5"
}
"name": "step-security-harden-runner",
"version": "1.4.0",
"description": "Security monitoring for the GitHub-hosted runner",
"main": "index.js",
"scripts": {
"build": "npm run main && npm run pre && npm run post",
"main": "ncc build src/index.ts --source-map",
"pre": "ncc build src/setup.ts --source-map -o dist/pre",
"post": "ncc build src/cleanup.ts --source-map -o dist/post",
"lint": "eslint src/**/*.ts"
},
"repository": {
"type": "git",
"url": "git+https://github.com/step-security/harden-runner.git"
},
"keywords": [],
"author": "Varun Sharma",
"license": "Apache License 2.0",
"bugs": {
"url": "https://github.com/step-security/harden-runner/issues"
},
"homepage": "https://github.com/step-security/harden-runner#readme",
"dependencies": {
"@actions/core": "^1.5.0",
"@actions/exec": "^1.1.0",
"@actions/github": "^5.0.0",
"@actions/http-client": "^1.0.11",
"@actions/tool-cache": "^1.7.1",
"node-fetch": ">=3.2.0",
"uuid": "^8.3.2",
"ansi-regex": ">=5.0.1"
},
"devDependencies": {
"@types/jest": "^27.0.1",
"@types/node": "^16.9.0",
"@typescript-eslint/eslint-plugin": "^4.29.2",
"@typescript-eslint/parser": "^4.29.2",
"@vercel/ncc": "^0.30.0",
"eslint": "^7.32.0",
"eslint-config-google": "^0.14.0",
"jest": ">=27.4.7",
"jest-junit": ">=13.0.0",
"ts-jest": ">=27.1.3",
"typescript": "^4.3.5"
}
}

22
src/checksum.ts Normal file
View file

@ -0,0 +1,22 @@
import * as core from "@actions/core";
import * as crypto from "crypto";
import * as fs from "fs";
export function verifyChecksum(downloadPath: string) {
const fileBuffer: Buffer = fs.readFileSync(downloadPath);
const checksum: string = crypto
.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
const expectedChecksum: string =
"28427e325c00f49e391af0899f49fe34e73b36b113a9f095660b73da88c43280"; // checksum for v0.9.0
if (checksum !== expectedChecksum) {
core.setFailed(
`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
);
}
core.debug("Checksum verification passed.");
}

14
src/index.ts
View file

@ -1,4 +1,5 @@
import { printInfo } from "./common";
import * as core from "@actions/core";
(async () => {
if (process.platform !== "linux") {
@ -6,6 +7,15 @@ import { printInfo } from "./common";
return;
}
var web_url = "https://app.stepsecurity.io";
printInfo(web_url);
if (
core.getBooleanInput("disable-telemetry") &&
core.getInput("egress-policy") === "block"
) {
console.log(
"Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true"
);
} else {
var web_url = "https://app.stepsecurity.io";
printInfo(web_url);
}
})();

44
src/setup.ts
View file

@ -6,7 +6,7 @@ import * as path from "path";
import { v4 as uuidv4 } from "uuid";
import { printInfo } from "./common";
import * as tc from "@actions/tool-cache";
import { verifyChecksum } from "./checksum";
(async () => {
try {
if (process.platform !== "linux") {
@ -19,16 +19,6 @@ import * as tc from "@actions/tool-cache";
var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io";
let _http = new httpm.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
const confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
@ -37,6 +27,7 @@ import * as tc from "@actions/tool-cache";
api_url: api_url,
allowed_endpoints: core.getInput("allowed-endpoints"),
egress_policy: core.getInput("egress-policy"),
disable_telemetry: core.getBooleanInput("disable-telemetry"),
};
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
@ -49,17 +40,44 @@ import * as tc from "@actions/tool-cache";
);
}
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
core.setFailed("disable-telemetry must be a boolean value");
}
if (!confg.disable_telemetry) {
let _http = new httpm.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
}
const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent");
// Note: to avoid github rate limiting
let token = core.getInput("token");
let auth = `token ${token}`;
const downloadPath: string = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.8.6/agent_0.8.6_linux_amd64.tar.gz"
"https://github.com/step-security/agent/releases/download/v0.9.0/agent_0.9.0_linux_amd64.tar.gz",
undefined,
auth
);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = await tc.extractTar(downloadPath);
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
printInfo(web_url);
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url);
}
let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"];